AudioGuyWorkNotes
CssWork - parent Development DevelopmentWorkCurrentlyInProgressSlashDocumentationIndex PollingVotingNotesAudioguy
This is current problems/tasks/working notes.
To Do
- 1 Gathering docs, understanding code - ongoing
- 2 Walk through all admin access in slash and see where javascript can be dumped, what other fixes needed - put off for a few days while I try to fix htacces problem
- 3 Try minified javascript - in place testing - moved by Eric to main repository
- 4 Solve htaccess problem for staff slash/wiki - in process (see CommunicationSystems)
- 5 Solve topic add problem - put off until #2 is in process.
- 6 Created SystemAdministration wik area, writing emergency procedure - finished.
- Temporary staff poll thingie - in progress----
The htaccess problem
Put an htaccess file in the html folder for slash, as I have done hundreds to times before...and it did not work.
Specifically, it did nothing at all.
No error, just...nothing.
Nothing in log that revealed much.
A problem with debugging this is the presence of 'Varnish' a cache ahead of the server. However, in the end I am told this is not, on this particular server, doing anything but passing the requests through.
First problem noted was that in the main apache config, the directive AllowOverride None was in place. this prevents anything in htaccess files from overriding the main config. Changed to AllowOverride All. Still not working. Checked the local apache config in the site/sslashcott.org dir and saw that had another such directive. Changed that one. Still not working. Decided to give up on htaccess completely, and put the directives into the main apache file. Still not working.
Noticed, however, this in the slash apache config file:
# Fourth Apache phase: access control
PerlAccessHandler Slash::Apache::Banlist
PerlAccessHandler Slash::Apache::User
The slash apache module has taken control of the Apache access control phase.
I am pretty sure this means that ONLY the perl modules now can operate in that phase, as in apache 1.3, there is just a traversal through the different phases, and whoever handles the phase causes apache to go on to the next phase.
Tried to check the docs to confirm this, but apache has removed 1.3 docs from their site.
Finally found an old 1.3 source on a backup, grabbed the docs out of this, and read:
-- Apache breaks down request handling into a series of steps, more or less the same way the Netscape server API does (although this API has a few more stages than NetSite does, as hooks for stuff I thought might be useful in the future). These are:
- URI -> Filename translation
- Auth ID checking [is the user who they say they are?]
- Auth access checking [is the user authorized here?]
- Access checking other than auth
- Determining MIME type of the object requested
- `Fixups' --- there aren't any of these yet, but the phase is intended as a hook for possible extensions like SetEnv, which don't really fit well elsewhere.
- Actually sending a response back to the client.
- Logging the request
These phases are handled by looking at each of a succession of modules, looking to see if each of them has a handler for the phase, and attempting invoking it if so. The handler can typically do one of three things:
- Handle the request, and indicate that it has done so by returning the magic constant OK.
- Decline to handle the request, by returning the magic integer constant DECLINED. In this case, the server behaves in all respects as if the handler simply hadn't been there.
- Signal an error, by returning one of the HTTP error codes. This terminates normal handling of the request, although an ErrorDocument may be invoked to try to mop up, and it will be logged in any case.
Most phases are terminated by the first module that handles them; however, for logging, `fixups', and non-access authentication checking, all handlers always run (barring an error)
--
So in short, if perl decides to handle the 'access' phase, Apache cannot.
I am now 99% certain that I cannot use htaccess or any other access phase functions on the apache server with slash.
However, the slash system itself has all that is required to do this, I just need to find a way to use it.
And an looking now...
Proposed solution:
Slash always checks if a user is logged in early in the page generation process. Find that place, and modify it to redirect all users who are not logged in to a login page (which must be created.)
Tracing through code now...
A redirect to this page might work: http://slashcott.org/my/login
Trying a staff.shtml static version of that page... And that worked fine to log me in.
Now, will it work with no links on the side, or those links disabled?
Looking for a 'hook'
These pages use perl scripts:
- on front page-
journal.pl
messages.pl
topic.pl
authors.pl
search.pl (listed as older stuff)
pollbooth.pl (listed as past polls)
submit.pl (listed as submit story)
http://slashcott.org/~AudioGuy/ This is the link on the users name when logged in. Must be a redirect?
also most recent journal entries go to similar urls
like http://slashcott.org/~martyb/journal/
http://slashcott.org/index.pl?issue=20140206 - older stuff box, date link
http://slashcott.org/arhttp://slashcott.org/search.pl?start=2ticles/00/01/25/1430236.shtml older stuff box, article link
http://slashcott.org/search.pl?start=2 older stuff,'older articles'
http://slashcott.org/index.pl?issue=20140306 'yesterdays news'
-the topic images-
http://slashcott.org/search.pl?tid=8
- static shtml file links -
Forbidden
You don't have permission to access /faq/index.shtml on this server.
http://slashcott.org/about.shtml - 'about' on main menu
http://slashcott.org/faq.shtml - 'faq' on main menu
also:
authors.shtml - exists, but link goes to .pl version
hof.shtml - when accessed directly, goes to a summary of Most Active Stories etc
moderation.shtml - an textual page explaining what moderation is about
slashguide.shtml - goes to:
http://slashcott.org/faq/ which shows error:
"Forbidden You don't have permission to access /faq/index.shtml on this server."
staff.shtml - redirects internally to a login function - My page!!!!!!
topics.shtml - shows essentially same result as topics.pl list of topics.
-Main home logo-
http://slashcott.org/ actually goes to index.shtml
- the 'my' redirection
http://slashcott.org/my/ create account/login
Routines in the chief .pl pages:
# require POST and logged-in user for these ops
my $user_ok = $user->{state}{post} && !$user->{is_anon};
# possible value of "op" parameter in form
my %ops = (
edit => [ !$user->{is_anon}, \&editArticle ],
removemeta => [ !$user->{is_anon}, \&articleMeta ],
# require POST and logged-in user for these ops
my $user_ok = $user->{state}{post} && !$user->{is_anon};
display_prefs => [ !$user->{is_anon}, \&display_prefs ],
save_prefs => [ $user_ok, \&save_prefs ],
list_messages => [ !$user->{is_anon}, \&list_messages ],
No obvious check
no obvious check
no obvious check
no obvious check
my @redirect_ops;
push @redirect_ops, "title=" . strip_paramattr($form->{subj}) if $form->{subj};
push @redirect_ops, "url=" . strip_paramattr($form->{url}) if $form->{url};
if ($form->{subj} || $form->{url}) {
push @redirect_ops, "new=1";
my %ops = (
blankform => [1, \&blankForm],
previewstory => [1, \&previewStory],
pending => [!$user->{is_anon}, \&yourPendingSubmissions],
submitstory => [1, \&saveSub],
list => [$submiss_view, \&submissionEd],
viewsub => [$submiss_view, \&previewForm],
update => [$user->{is_admin}, \&updateSubmissions],
my $op = lc($form->{op} || 'default');
$op = 'default' if !$ops{$op} || !$ops{$op}[ALLOWED];
# require POST and logged-in user for these ops
my $user_ok = $user->{state}{post} && !$user->{is_anon};
# possible value of "op" parameter in form
my %ops = (
edit => [ !$user->{is_anon}, \&editArticle ],
removemeta => [ !$user->{is_anon}, \&articleMeta ],
preview => [ $user_ok, \&editArticle ],
save => [ $user_ok, \&saveArticle ],
# journal.pl waits until it's inside the op's subroutine to print
# its header. Headers are bottlenecked through _printHead.
my $op = lc($form->{op}) || '';
if (!$op || !exists $ops{$op} || !$ops{$op}[ALLOWED]) {
$op = 'default';
}
sub main {
my $start_time = Time::HiRes::time;
my $constants = getCurrentStatic();
my $user = getCurrentUser();
my $form = getCurrentForm();
my $slashdb = getCurrentDB();
my $reader = getObject('Slash::DB', { db_type => 'reader' });
return if redirect_home_if_necessary();
sub redirect_home_if_necessary {
my $user = getCurrentUser();
my $form = getCurrentForm();
my $script = '';
if (!$user->{is_anon} && defined $form->{usebeta}) {
if ( $form->{op} && $form->{op} eq 'userlogin' && !$user->{is_anon}
|| $form->{upasswd}
|| $form->{unickname}
) {
# Any login attempt, successful or not, gets
# redirected to the homepage, to avoid keeping
# the password or nickname in the query_string of
# the URL (this is a security risk via "Referer").
# (If we've determined the user needs to go to
# index2.pl, send them there.) Note that
# $form->{returnto} is processed by
# Slash::Apache::User::handler, which for reasons
# of a mysterious bug defers the actual redirect
# to be handled by this script.
$script = $form->{returnto} || '/';
}
if ($script) {
redirect($script);
return 1;
}
conclusion so far
There is not consistent way to handle security level on all he pl pages, they all either don't handle it at all, or handle it in different ways.
What is there consistently is:
- Inclusion of User and Utillity libs
- A main() routine
- there may be differences in how they call header, but all do in some fashion.
- They all call footer()
- redirect is in utility / Anchor.pm (in lib64)
sub redirect {
my($url, $code) = @_;
$code = 302 if !$code || $code != 301;
my $constants = getCurrentStatic();
$url = url2abs($url);
my $r = Apache->request;
$r->content_type($constants->{content_type_webpage} || 'text/html');
$r->header_out(Location => $url);
$r->status($code);
$r->send_http_header;
slashDisplay('html-redirect', { url => $url, code => $code });
}
Try to get topics.pl to redirect to my staff page
This works, right before the header call:
##############
if ($user->{is_anon} )
{
redirect("/staff.shtml");
}
##############
header(getData('head'), $form->{section}, $data) or return;
Todo
add
makes code easier if(privatesite) {} with button in admin interface
0 - off 1 = private.
List all pages and give list to paul for incorporation.
private_site variable set to 1 - this is the name
#######
# if ($user->{is_anon} && $private_site ) {redirect("/staff.shtml"); }
# may need to add a local private site and do what is needed to get it first
######
This is how constants in vars are accessed:
my $constants = getCurrentStatic();
if ($constants->{body_bytes}) {}
Ok, so this should work:
Must first make sure my $constants = getCurrentStatic(); earlier, then
######
if ( $user->{is_anon} && $constants->{private_site} ) {redirect("/staff.shtml"); }
# should change name of staff.shtml to loginonly.shtml or justlogin.shtml
######
Discuss code style.
Suggest voluminous comments with option to emove easily with a grep -v
Hard left # for comments to be remove, code indented as usual.
##########
#
# Code added Sun Mar 9 13:33:10 PDT 2014 - audioguy
# to add a private slash option.
# If database table 'vars' variable 'private_site' != 0 then site is private
# and all non-logged in users will be redirected to a login page.
# This code requires my $constants = getCurrentStatic(); declared earlier to
# insure the constant 'private_site' (set in admin interface, variables)
# is available locally. ( also $user = getCurrentUser(); )
# This routine must be added to all publicly available .pl scripts
# (pages, not inclusions), just prior to the first header() call.
#
if( $user->{is_anon} && $constants->{private_site} ) { redirect("/loginonly.shtml"); }
#
##########
Change the page staff name to reflect its real usage: loginonly.shtml
Perl pages that are known to require this change:
admin.pl -> /usr/local/slash/plugins/Admin/admin.pl index.pl -> /usr/local/slash/themes/slashcode/htdocs/index.pl journal.pl -> /usr/local/slash/plugins/Journal/journal.pl messages.pl -> /usr/local/slash/plugins/Messages/messages.pl topics.pl -> /usr/local/slash/themes/slashcode/htdocs/topics.pl # problem authors.pl -> /usr/local/slash/themes/slashcode/htdocs/authors.pl # even thugh the link points to this script, iy is never executed. I can rename it, no # effect. It is actually authors.shtml that is executed. Must be a redirect somewhere. # must track down and fix this when the shtml pages are fixed. # You would think directly calling authors.pl would call it... search.pl -> /usr/local/slash/plugins/Search/search.pl pollbooth.pl submit.pl help.pl - page with many links - NEED TO CHECK THEM ALL - maybe this pages needs redirect preferences.pl - Needs redirect,
Perl scripts in htdocs that need to be tested as possible side channels:
404.pl - shows a double page when called directly - normal menus ajax.pl - blanl page, no memus, nothing dangerous with or without javascript article.pl - nothing for yu to see here message, has normal side menus badge.pl - Internal Server Error direct from apache. blob.pl - goes to 404.pl comments.pl - varnish error: Error 503 Service Unavailable edit.pl - The server encountered an internal error or misconfiguration but with normal menus fileadmin.pl - blank page, with normal menus. hof.pl - most active, most visted, may need redirect. imgupload.pl - Apache internal server error login.pl - Goes back to index page, CHECK metamod.pl - apache server error with full menus print.pl - seems to go just to index page CHECK pubkey.pl - pure white screen with plain text message "You need to supply the name of a user." shtml.pl - error, with menus, The requested URL (shtml.pl) was not found. stats.pl - admin reports page, FIX? TEST users2.pl - apacche internal eror with normal menus users.pl - admin page showing user security level, other stuff CHECK zoo.pl - seems to just redirect to normal index CHECK
http://perl.apache.org/docs/1.0/index.html
21:09 stderr Hmm... Can you use an AuthUser on a virtual host that acts like a proxy? NCommander audioguy, oh wait, you're using varnish NCommander You need a fucking hack in slash to make that work NCommander There's a sanity check I stabbed out that causes slash to act stupid when its varnished audioguy That is what I was afraid of. Wondering if there is a simple way to do the same thing in slash code. 21:10 NCommander I think the patch is on the master branch, if not, you need to grep for "X-Forwarded-By" in slashcode -- mechanicjay audioguy: is it borked? 21:45 mechanicjay Varnish is passing everything through audioguy It is getting in the way of me trying to debug a problem audioguy I am trying to use .htaccess files, it is not letting me see the real errors, audioguy Logs shows this: audioguy [Wed Mar 5 05:40:08 2014] [error] :Slash::Utility::Environment:/usr/local/lib64/perl5/Slash/Utility/Environment.pm:683:cannot getSkin for empty skid='' ;; Which was called by:Slash::Apache:/usr/local/lib64/perl5/Slash/Apache.pm:359 21:46 mechanicjay Varnish should not be caching anything for the slashcott domain. I'll double check right now
Minifed javascript for jquery
This has now been placed on slashcott as a test to see if it workable on the main site.
I simply replaced the file in
/usr/local/slash/plugins/Ajax/htdocs/images/jquery/jquery-1.3.2.js
with
/usr/local/slash/plugins/Ajax/htdocs/images/jquery/jquery-1.3.2.min.js
after backing the original up, of course:
[root@slashcode jquery]# pwd /usr/local/slash/plugins/Ajax/htdocs/images/jquery [root@slashcode jquery]# ls jquery-1.3.2.js jquery.autogrow.js jquery.textselection.js ui.sortable.js jquery-1.3.2.min.js jquery.elastic-1.6.js ORIGINALjquery-1.3.2.js ui.tabs.js jquery.autocomplete.css jquery.lazyload.js ui.core.js jquery.autocomplete.js jquery.metadata.js ui.draggable.js
The minified version is about 50% smaller.
57254 Mar 5 14:33 jquery-1.3.2.js 57254 Mar 5 14:30 jquery-1.3.2.min.js 120764 Mar 3 20:21 ORIGINALjquery-1.3.2.js
- [[1]] git - themes
http://www.mediawiki.org/wiki/Help:Images
error
Tue Mar 11 15:49:11 2014 tagbox.pl forked; dbsparklines.pl in 49s
Tue Mar 11 15:49:12 2014 [tagbox.pl] begin (31934)
Tue Mar 11 15:49:12 2014 [tagbox.pl] Can't call method "getTagboxes" on an undefined value at /tmp
/PGUkbKEnL8 line 65.
Tue Mar 11 15:49:12 2014 tagbox.pl odd exit (status 25, signal 0)
Tue Mar 11 15:49:50 2014 sent SIGUSR1 to running tasks: pid 6370 (process_file_queue.pl) pid 6416
(balance_readers.pl) pid 6501 (sphinx_indexer.pl)
Tue Mar 11 15:49:50 2014 Exiting slashd (TERM) with pid 6324
Tue Mar 11 20:27:31 2014 Starting slashd with pid 5713
Tue Mar 11 20:27:31 2014 Starting slashd on soylent-www (verbosity 2) with pid 5713
Use of uninitialized value $ENV{"SF_SYSTEM_FUNC"} in pattern match (m//) at /tmp/SzlreZ9fNi line 2
4.
Tue Mar 11 20:27:31 2014 requiring '/srv/soylentnews.org/slashcode/site/soylent-mainpage/tasks/fir
ehose_get_thumbnails.pl' raised exception: Can't locate File/Type.pm in @INC (@INC contains: /srv/
soylentnews.org/local/lib/perl5/5.10.1/x86_64-linux /srv/soylentnews.org/local/lib/perl5/5.10.1 /s
rv/soylentnews.org/local/lib/perl5/site_perl/5.10.1/x86_64-linux /srv/soylentnews.org/local/lib/pe
rl5/site_perl/5.10.1 .) at /tmp/cfoF1coqdw line 17.
BEGIN failed--compilation aborted at /tmp/cfoF1coqdw line 17.
Compilation failed in require at /srv/soylentnews.org/slashcode/sbin/slashd line 412.
Tue Mar 11 20:27:31 2014 requiring '/srv/soylentnews.org/slashcode/site/soylent-mainpage/tasks/fir
ehose_get_thumbnails.pl' caused error: Inappropriate ioctl for device
Tue Mar 11 20:27:31 2014 '/srv/soylentnews.org/slashcode/site/soylent-mainpage/tasks/firehose_get_
thumbnails.pl' did not set code properly
Tue Mar 11 20:27:31 2014 '/srv/soylentnews.org/slashcode/site/soylent-mainpage/tasks/firehose_get_
thumbnails.pl' did not set timespec properly
Use of uninitialized value $ENV{"SF_SYSTEM_FUNC"} in pattern match (m//) at /tmp/wL_HD2j9GS line 2
6.
http://soylentnews.org/~prospectacle/journal/